This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark is missing QUIC in “decode-as” portocol list

0

In trying to dissect captured QUIC traffic with tshark cannot set "decode as" (-d udp.port==5555,quic) protocol because quic is not recognized by tshark as layer protocol (-d '' does not list it). It is listed in decode_as_entries. "tshark -G decodes" does list it as well but tshark does not pick it up for some reason.

Would appreciate any suggestion on how to resolve this.

asked 07 Nov '16, 10:08

iez's gravatar image

iez
6224
accept rate: 0%

edited 07 Nov '16, 10:33

One Answer:

0

The solution is to either:

  1. Modify the Wireshark source code for the version you're using to register QUIC as eligible for Decode-As (how you do this depends on the version you're running)
  2. (or) upgrade to Wireshark 2.2 (in which QUIC is eligible for Decode-As)

(It might work in versions earlier than 2.2--I didn't check exactly what version that functionality showed up in.)

answered 07 Nov '16, 13:03

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Thanks, Jeff. I am running "Version 2.2.1 (v2.2.1-0-ga6fbd27 from master-2.2)". Wireshark has no problem with decode_as. tshark does not recognize it

(07 Nov '16, 13:10) iez